19
Using Oracle Enterprise Security Manager

This chapter describes how to use Oracle Enterprise Security Manager to administer Enterprise User Security in Oracle9i databases. This chapter contains the following topics:

• Introduction
• Installing and Configuring Oracle Enterprise Security Manager
• Administering Enterprise Users
• Administering Oracle Contexts

Introduction

Oracle Enterprise Security Manager, a component of Oracle Enterprise Manager, is an administration tool employed by Oracle Advanced Security to manage enterprise users, enterprise domains, databases, and enterprise roles that are held in an LDAP-compliant directory service.

The directory service is used as a central repository to define user and server access information for a network. It stores naming information, global password definitions, PKI credentials, and application access authorizations for the users that it defines. Such centralized storage of enterprise users and their access privileges supports single sign-on capability, and provides secure, scalable user administration.

Installing and Configuring Oracle Enterprise Security Manager

The following tasks describe how to use Oracle Enterprise Security Manager to install Oracle Management Server and Oracle Enterprise Manager:

• Task 1: Configure an Oracle Internet Directory
• Task 2: Install Oracle Enterprise Manager
• Task 3: Start Oracle Enterprise Security Manager
• Task 4: Log On to the Directory

Task 1: Configure an Oracle Internet Directory

Oracle9i Enterprise User Security is based on an LDAP-compliant directory. The directory server must be properly installed and configured before Oracle Enterprise Manager can be used to manage Enterprise User Security. The following elements of directory configuration must be completed before proceeding:

• A compatible LDAP-compliant directory must be installed, running, and accessible over both standard LDAP and Secure Sockets Layer LDAP (LDAP/SSL).

  See Also: Oracle Internet Directory Administrator's Guide Appendix E, "Using Enterprise User Security with Microsoft Active Directory"

• Oracle Internet Directory must be configured to support Oracle9i directory schema objects and must include a root Oracle Context. You can use Oracle Net Configuration Assistant to configure both of these on the directory server.

  See Also: Oracle9i Net Services Administrator's Guide

Task 2: Install Oracle Enterprise Manager

Oracle Enterprise Manager is automatically installed by the Oracle9i Enterprise Edition server installation process, and includes all necessary functionality to support Enterprise User Security. Oracle Enterprise Manager is also installed by default with the Oracle9i infrastructure installation at the same time as Oracle Internet Directory. Oracle Enterprise Manager can also be installed separately in its own ORACLE_HOME, using the custom install option.

Task 3: Start Oracle Enterprise Security Manager

To launch Oracle Enterprise Security Manager, use one of the following options:

• (UNIX)

  From the Enterprise Manager ORACLE_HOME, enter the following at the command line:

  esm
  
  

• (Windows)

  Choose Start > Programs > Oracle - HOME_NAME > Integrated Management Tools > Enterprise Security Manager

The directory login box appears (Figure 19-1):

Figure 19-1 Directory Server Login Window

Text description of the illustration esm0001.gif

esm -cmd <options>

esm -cmd

Task 4: Log On to the Directory

Oracle Enterprise Security Manager provides three ways to connect to a directory server, summarized by Table 19-1:

Table 19-1 Oracle Enterprise Security Manager Authentication Methods

To select an authentication method, choose the appropriate option in the Directory Server Login Window (Figure 19-1).

Administering Enterprise Users

Oracle Enterprise Security Manager manages one directory server, identified at the top of the main application tree. It lets you manage users and Oracle Contexts in the directory. An Oracle Context is a subtree in a directory recognizable to Oracle products. It provides an administrative hierarchy for management of Oracle data including installed Oracle products that access the directory.

This section describes how to use Oracle Enterprise Security Manager to administer enterprise users. It contains the following topics:

• Creating New Enterprise Users
• Defining a Directory Base
• Defining a New Enterprise User Password
• Defining an Initial Enterprise Role Assignment
• Creating a Wallet
• Browsing Users in the Directory
• Browsing Users in the Directory
• Enabling Database Access

Creating New Enterprise Users

Use Oracle Enterprise Security Manager to create users in the directory.

To create new users, select Create Enterprise User... from the Operations menu. The Create User window appears (Figure 19-2).

Figure 19-2 Oracle Enterprise Security Manager: Create User Window (User Naming Tab)

Text description of the illustration esm0005.gif

Referring to Table 19-2, enter the appropriate user information required by the User Naming tabbed window; choose OK to create a new enterprise user.

Table 19-2 Create User Window Fields  

Defining a Directory Base

An enterprise user entry can reside at any base within the directory. The base can be any existing directory entry, such as country entry (c=us), or an organization entry (o=acme,c=us). Multiple users typically share the same directory base. This base associates all the users contained under it with the same high level organization in the hierarchy.

You can enter the base in the base field of the Create User window (Figure 19-2). Alternatively, you can browse the entire directory to select a suitable base by choosing the Browse... button (in the same window); the Browse Directory Window appears (Figure 19-3):

Figure 19-3 Oracle Enterprise Security Manager: Browse Directory Window

Text description of the illustration esm0006.gif

The Browse Directory window lets you navigate the directory by drilling down into each entry from the top of the directory tree. When a directory entry is selected its distinguished name (DN) is placed in the Selection field. To accept the selected Distinguished Name choose the OK button. This value is returned as the selected base for a new directory user, and is preserved for all subsequent operations that create or search for users in the directory--although you can change it from time to time.

Defining a New Enterprise User Password

The Password tab of the Create User Window (Figure 19-4) lets you define and maintain the enterprise user password:

Figure 19-4 Oracle Enterprise Security Manager: Create User Window (Password Tab)

Text description of the illustration esm0007.gif

The enterprise user password is used for:

• Directory logon.
• Database logon, to databases that support password authentication for global users.
• A new Oracle Wallet, if created for the new user at this time.

When creating a new password, you can choose one of the following options:

• Accept the default password that is displayed
• Choose a randomly generated password
• Manually enter a password

To send the password to the new user by e-mail, select Notify User by Email, and instruct the new user to change the password after its first use. The e-mail address from the User Naming tab in Figure 19-2 is used.

Defining an Initial Enterprise Role Assignment

When you create a new enterprise user, you can grant any previously configured enterprise roles to a new user.

To select one or more enterprise roles to grant to a new user, choose the Add... button on the Enterprise Roles tab of the Create User window.

The Add Enterprise Roles window appears (Figure 19-5):

Figure 19-5 Oracle Enterprise Security Manager: Add Enterprise Roles Window

Text description of the illustration esm0009.gif

Select the correct Oracle Context, then select any enterprise roles in your Oracle Context to assign to the new user; choose OK.

Creating a Wallet

A sample Oracle Wallet containing a new digital certificate, private key, and certificate trust points may be generated for the new user in an encrypted binary format. The Oracle Wallet will be stored with the new user in the directory server as part of the directory entry for the user. To create a sample wallet for new users, choose the Wallet tab of the Create User window (Figure 19-6).

Figure 19-6 Oracle Enterprise Security Manager: Create User Window (Wallet Tab)

Text description of the illustration esm0037.gif

The distinguished name (DN) under which the new User will be created is used by default as the DN for the digital certificate to be contained in the new user's Oracle wallet. The user cannot connect to the database if the DNs of user certificates are not equal to their DNs in the directory. However, you may edit the DN to be used for the certificate before generating the wallet by editing the contents of the Issued For: field.

A sample Oracle wallet will be created when you click the Generate Wallet... button. When you select a user from the Edit User window (see Figure 19-8) a userpkcs12 attribute is visible in the attribute list of that user. The userpkcs12 attribute represents the wallet created in this step.

Browsing Users in the Directory

Oracle Enterprise Security Manager lets you browse the directory for all users currently stored.

To browse enterprise users, choose the All Users tab in the main window (Figure 19-7):

Figure 19-7 Oracle Enterprise Security Manager: Main Window (All Users Tab)

Text description of the illustration esm0011.gif

To search for users in the directory, define the search criteria and choose the Search Now button. The window displays the results of the search. Table 19-3 summarizes the search criteria and their respective effects on the search results:

Table 19-3 Directory Search Criteria

Example:

Selecting a user from the search results for editing.

To edit one of the returned user names, select the target user name and choose the Edit... button--or just double-click the target user name in the list (Figure 19-8):

Figure 19-8 Oracle Enterprise Security Manager: Edit User Window

Text description of the illustration esm0013.gif

When you select a directory user for edit, you can change the password and enterprise role assignments--and you can modify the user wallet in the same manner as during its initial creation.

Enabling Database Access

The user entry must reside in a directory subtree of users that has been enabled for Oracle database access. You can set Oracle Database Access permissions for a selected subtree--to let databases within a domain in the Password-Accessible Domains group read the user's login credentials.

To enable database access:

On a selected subtree of directory users, set Oracle Database Access permissions to permit databases in the Password-Accessible Domains group to access the user's database login credentials:

• Select the target user subtree under Users, by Search Base
• Select Allow logon to Databases in Authorized Enterprise Domains

Administering Oracle Contexts

An Oracle Context is a subtree in a directory that contains the data used by any installed Oracle product that uses the directory. Oracle Enterprise Security Manager is one such product. It lets you manage database and security-related information in the directory, in an Oracle Context.

Oracle Context Versions

Oracle Enterprise Security Manager can support multiple Oracle Contexts in a directory, including Oracle8i and Oracle9i versions. However, Oracle9i Enterprise User Security can only be managed using an Oracle9i Oracle Context. Oracle Enterprise Security Manager for Oracle9i may be used to manage version 9i Oracle Contexts as well version 8i Oracle Contexts in the directory.

Oracle Enterprise Security Manager displays all existing Oracle Contexts in its main application tree--including both Oracle8i and Oracle9i versions. In the following example (Figure 19-9), Oracle Enterprise Security Manager is connected to an Oracle directory that has been configured to support the Oracle9i directory schema and an Oracle9i root Oracle Context.

Defining Properties of an Oracle Context

An Oracle Context has a number of properties that can be viewed and managed in the Enterprise Security Manager window (Figure 19-9, Table 19-4):

Figure 19-9 Oracle Enterprise Security Manager: General Tab

Text description of the illustration esm0014.gif

To understand the properties of an Oracle Context, refer to Table 19-4:

Table 19-4 Oracle Context Properties

Registering a Database in the Directory

Using Oracle Enterprise Security Manager to register a database with the directory is new in this release. You can also use Database Configuration Assistant to register a database with the directory. Table 19-5 lists the differences between using these two Oracle tools.

Table 19-5 Differences between Using Oracle Enterprise Security Manager and Database Configuration Assistant to Register a Database with the Directory

Prerequisites

If you want to generate a placeholder database wallet, then you must first run the following tool at the command line:

esm -genca

Follow the prompts that this tool displays. This tool creates a simulated certificate authority in your Oracle wallet directory.

To register a database with the directory:

1. In the Enterprise Security Manager main window, select Register Database from the Operations menu. The Database Registration window appears.
2. Fill in the appropriate values in the fields for the database that you want to register. Note: to register the database by using Oracle Enterprise Security Manager, the SID for the database must be equal to the short database name.

   If you need to edit the Connect String, then select Store TNS Connect String, which makes that field available for editing.

3. If you want to generate a placeholder wallet for the database that you are registering, then select Generate Wallet and enter the wallet password.

   If you do not see the Generate Wallet option, then ensure that you have run the esm -genca tool that is described in "Prerequisites".

4. After filling in all of the information, click OK to create a database entry in the directory.
5. A dialog box instructs you to set the RDBMS_SERVER_DN parameter in the server parameter file (spfile.ora) by entering the following command at a SQL*Plus prompt:

   ALTER SYSTEM SET RDBMS_SERVER_DN=SERVER_DN SCOPE SPFILE
   
   

6. After entering this command, restart the database so the new parameter setting can be read by the system.

Defining User Search Bases

Common user search bases can be added to or removed from an Oracle9i Oracle Context using the General tabbed window (Figure 19-9).

To remove a user search base from an Oracle Context:

1. Using the Oracle Enterprise Security Manager General tabbed window (Figure 19-9), select a search base from the Common User Search Bases list, and choose the Remove... button.
2. Choose the Apply button; the user search base is removed from the Oracle Context in the directory.

To add a new user search base to an Oracle Context:

1. Using the Oracle Enterprise Security Manager General tabbed window (Figure 19-9), choose the Add... button; the Browse Directory window appears (Figure 19-10):

Figure 19-10 Oracle Enterprise Security Manager: Browse Directory (User Search Bases)

Text description of the illustration esm0015.gif

• Navigate the directory tree and select an entry for a user search base. Alternatively, you can edit the contents of the Selection field in this window to manually define the user search base.
• Choose OK; the selected entry is added to the list of user search bases in the General tabbed window (Figure 19-9).
• Choose Apply (Figure 19-9); the user search base is added to the Oracle Context in the directory.

  Defining Oracle Context Administrators

  An Oracle Context contains administrative groups that have varying levels of privileges for operations within an Oracle Context. Some administrative groups are only available in Oracle9i Oracle Contexts and some are available in both Oracle8i and Oracle9i Oracle Contexts. The administrative groups for an Oracle Context are defined by Table 19-6:

  Table 19-6 Oracle Context Administrators

  Administrative Group	Definition	Oracle9i Version	Oracle8i Version
  Full Context Management	All possible Administrator privileges for all product areas in the Oracle Context.	Yes	No
  Directory User Management	Can view directory user password reminders and update passwords.	Yes	No
  Database Security Management	Can manage all enterprise domains and roles in the Oracle Context.	Yes	Yes
  Database Registration	Can register a new database in the Oracle Context.	Yes	Yes
  Oracle Net Management	Can manage Oracle Net objects in the Oracle Context.	Yes	Yes

  Use the Administrators tab of the Oracle Enterprise Security Manager main window to manage Oracle Context Administrators(Table 19-11):

  Figure 19-11 Oracle Enterprise Security Manager Administrator's Tab

  

  Text description of the illustration esm0016.gif

  To remove a user from a list of Oracle Context Administrators:

  1. Choose the Administrator Category (Table 19-6); a list of administrators within this category is displayed.
  2. Select a user name from the list.
  3. Choose the Remove button; the selected user is removed from the list.
  4. Choose the Apply button; the selected user is removed as an Oracle Context Administrator from the selected Administrator Category.

  Figure 19-12 Oracle Enterprise Security Manager: Add Users Window

  

  Text description of the illustration esm0017.gif

  To add a new user to the list of Oracle Context Administrators:

  1. Choose the Add... button in Figure 19-11; the Add Users screen appears (Figure 19-12).

     Use this window to locate and select users in the directory. There are three panels in the window:

     • Top panel: The directory search tree.
     • Middle panel: Search criteria that determine the users returned by the search.
     • Bottom panel: Search results--users found in the directory that match the search criteria.
  2. Navigate the Directory (in the top panel) to select a directory entry as a user search base. You can edit the contents of the selection field in this window to manually define the user search base.
  3. Check the Include Subtrees option in the middle panel (Search Criteria). This selection option searches for all users within the search base, including subtrees.
  4. Enter any known User Name in the Show Names Containing field to which user names returned by the search must conform. This limits the search to users in the directory who have a common name value that is or starts with the specified text.
  5. Choose the Search Now button (middle panel). If there are any users in the directory at the base you have selected that match your search criteria they are listed in the window.
  6. Select the desired user name either by selecting it from the list and choosing OK, or by double-clicking it. Multiple users can be selected from the list by selecting a range of users and choosing OK. The new users appear in the list of Administrators under the category you have selected.

     Note: This window is commonly used throughout Oracle Enterprise Security Manager where it is necessary to select users from the directory.

  Managing Password Accessible Domains

  There are three requirements for a database to accept a connection from a password-authenticated user:

  • The database must be a member of a domain configured to accept Password and SSL authentication (See: Table 19-8).
  • The domain must be a member of a password-accessible domains group, called the Password-Accessible Domains List, added by an Oracle Context Administrator or a Database Security Administrator. Domain members of this list can read the user's password verifier in the directory, while those excluded from this list cannot. The domain must be part of an Oracle9i, or later, Oracle Context.
  • The user entry must be in a directory subtree of users that has been enabled for Oracle database access. You can set Oracle Database Access permissions for a selected subtree that lets databases in the Password-Accessible Domains List read the users' database login information.

  To configure password accessibility:

  1. Add the target database to an enterprise domain that has been configured to accept Password and SSL user authentication.

     See Also: Defining Database Membership of an Enterprise Domain Managing Database Security Options for an Enterprise Domain

  2. In a selected Oracle9i, or later, Oracle Context, add the domain to the Password-Accessible Domains List. Choose Add and select one of the current enterprise domains from the resulting dialog. To remove an enterprise domain from the list, select it in the Accessible Domains window and choose Remove.
  3. On a selected subtree of directory users, set Oracle database access permissions to permit databases in the Password-Accessible Domains List to access the users' database login information:
     • Select the target user subtree under Users, by Search Base.
     • Select Allow Logon to Database in Authorized Enterprise Domain for that subtree.

       See Also: Security of User Database Login Information

       Note: Password accessible domains require an Oracle9i Oracle Context.

  Managing Database Security

  Once databases are registered in the directory, you can use Oracle Enterprise Security Manager to manage user access to those databases. This is achieved using the following objects in the Oracle Context (Table 19-7):

  Table 19-7 Oracle Enterprise Security Manager: Oracle Context Objects

  Object	Description
  Database	A directory entry representing a registered database.
  Enterprise Domain	A grouping of databases registered in the directory, upon which a common user access model for database security can be implemented
  Enterprise Role	An Authorization that spans multiple databases within an enterprise domain. It is an enterprise role to which individual roles can be granted on each of the databases in an enterprise domain.
  Mapping	A mapping object is used to map the distinguished name (DN) of a user to a database schema that the user will access.

  See Also: Oracle9i Database Administrator's Guide Chapter 15, Using Oracle Enterprise Security Manager

  Managing Database Administrators

  A Database Administrator is a directory user that has privileges to modify the database and its subtree in the Oracle Context. Database Administrators may be managed using the Administrators tabbed window when a database is selected under an Oracle Context in the main application tree (Figure 19-11).

  To remove a user from the list of Database Administrators:

  1. Select a user from the list of administrators.
  2. Choose Remove; the selected user is removed from the list.
  3. Choose Apply; the user is removed as a Database Administrator for that database in the Oracle Context.

  To add a new user to the list of Database Administrators:

  1. Choose Add; the Add Users window appears (Figure 19-12). Use this window to locate and select users in the directory.
  2. Select a user or users from the directory to be added as a Database Administrator; the new user(s) is displayed in the Administrators tabbed window (Figure 19-11).
  3. Choose Apply; the new Administrator(s) is added to the database in the Oracle Context.

     See Also: Creating New Enterprise Users Browsing Users in the Directory

  Managing Database Schema Mappings

  Database schema mappings let databases that are registered in the directory accept connections from users without requiring any dedicated database schemas for them. For example, when local user Scott connects to a database, a database schema called Scott must exist--for that logon to be successful. This can be difficult to maintain if there are thousands of users and perhaps hundreds of databases in a very large enterprise.

  Users that are defined in an LDAP-compliant directory do not require dedicated schemas on every Oracle8i or later database to which they might connect.

  A database can use a schema mapping to share one database schema between multiple directory users. The schema mapping is a pair of values: the base in the directory at which users exist, and the name of the database schema they will use.

  You can use the Database Schema Mappings tabbed window to manage database schema mappings--when a database is selected under an Oracle Context in the main application tree. This window contains a list of database schema names and Directory Base pairs (Figure 19-13):

  Figure 19-13 Oracle Enterprise Security Manager: Database Schema Mappings Tab

  

  Text description of the illustration esm0020.gif

  To remove a mapping from the list of database schema mappings in an enterprise domain:

  1. Select a mapping by selecting from the Database Schema Mapping tabbed window.
  2. Choose Remove. The selected Mapping is removed from the list.
  3. Choose Apply; the mapping is removed from the enterprise domain.

  To add a new mapping to the list of database schema mappings in the enterprise domain:

  1. Choose Add...; the Add Database Schema Mappings window appears (Figure 19-14):

  Figure 19-14 Oracle Enterprise Security Manager: Add Database Schema Mappings Window

  

  Text description of the illustration esm0021.gif

  Use this window to locate and select a base in the directory and pair it with a database schema name, to make a database schema mapping. There are two components to the window: there is a directory search tree from which to select a base, and a field in which to enter a schema name.

• Navigate the directory to select a desired entry as a base for the database schema mapping. This can be any directory entry but should be located above the subtree of users to be mapped. You can also edit the contents of the Directory Entry field in this window to manually define the base.
• Enter the name of the database schema for which this Mapping will be made into the Schema field, and choose OK. This must be a valid name, for a schema that already exists on that database.The new database schema mapping appears in the database schema mappings window (Figure 19-13).
• Choose Apply; the new database schema mapping is added to the selected database in the Oracle Context.

  Administering Enterprise Domains

  An Oracle Context contains at least one enterprise domain called OracleDefaultDomain. The OracleDefaultDomain is part of the Oracle Context when it is first created in the directory. When a new database is registered into an Oracle Context it automatically becomes a member of the OracleDefaultDomain in that Oracle Context. You can create and remove your own enterprise domains but you cannot remove the OracleDefaultDomain from an Oracle Context.

  To create a new enterprise domain in an Oracle Context, use either of the following methods:

  • Select Create Enterprise Domain from the Operations menu (Figure 19-13).
  • Select an Oracle Context from the main application tree with a right mouse-click.

    The Create Enterprise Domain window appears (Figure 19-15):

  Figure 19-15 Oracle Enterprise Security Manager: Create Enterprise Domain Window

  

  Text description of the illustration esm0023.gif

  To create the new enterprise domain:

  1. Select the appropriate Oracle Context from the drop-down list (Figure 19-15).

     Note: If you invoked the Create Enterprise Domain window by right-clicking the Oracle Context in the main application tree, the name of that Oracle Context is already selected.

  2. Enter the name of the new enterprise domain, in the Domain Name field.
  3. Choose OK; the new enterprise domain is created in the Oracle Context, and appears on the main application tree.

  To remove an enterprise domain:

  1. Select the target enterprise domain from the main application tree (Figure 19-13).
  2. Use either of the following methods:
     • Select Remove Enterprise Domain from the Operations menu.
     • Select an enterprise domain from the main application tree with a right mouse-click.
  3. Oracle Enterprise Security Manager asks you to confirm removal of the enterprise domain from the Oracle Context; choose OK to remove it.

     Note: You cannot remove an enterprise domain from an Oracle Context if that enterprise domain still contains any enterprise roles.

  Defining Database Membership of an Enterprise Domain

  Use the application tree of the main Oracle Enterprise Security Manager window to select a target enterprise domain. You can then use the Databases tab to manage database membership of an enterprise domain in an Oracle Context (Figure 19-16):

  Figure 19-16 Oracle Enterprise Security Manager: Databases Tab (Database Membership)

  

  Text description of the illustration esm0025.gif

  To remove a database from an enterprise domain:

  1. Select a target database for removal, and choose Remove...; the database is removed from the list.
  2. Choose Apply; the database is removed from the enterprise domain in the Oracle Context.

  To add a database to an enterprise domain:

  Note: You can only add a database to an enterprise domain if both the database and the enterprise domain exist in the same Oracle Context. It follows, therefore, that: An enterprise domain cannot contain a database from a different Oracle Context. A database cannot be added as a member of two different enterprise domains.

  1. Choose Add... (Figure 19-16); the Add Databases window appears. This window lists all the databases associated with the Oracle Context (Figure 19-17):

  Figure 19-17 Oracle Enterprise Security Manager: Add Databases Window

  

  Text description of the illustration esm0026.gif

• Select a new target database to be added to the enterprise domain.
• Choose OK; the selected database is added to the list of databases in the Databases tabbed window (Figure 19-16).
• Choose Apply (Figure 19-16); the new database is added to the enterprise domain in the Oracle Context.

  Managing Database Security Options for an Enterprise Domain

  Use the Databases tabbed window (Figure 19-16) to manage database security options applicable to all databases that are members of the enterprise domain.

  Database security options are summarized by Table 19-8:

  Table 19-8 Oracle Enterprise Security Manager Database Security Options

  Database Security Option	Description
  Enable current user database links	Any database pair can only permit use of Current User Database Links if both databases exist in an enterprise domain in which this setting is enabled.
  User authentication	All databases in an enterprise domain must enforce one of the following types of authentication for its clients: Oracle Net SSL Authentication only using Oracle Wallets. Either Password or Oracle Net SSL Authentication (default).

  Managing Enterprise Domain Administrators

  An Enterprise Domain Administrator is a directory user with privileges to modify the content of that domain. You can use the Administrators tabbed window (Figure 19-11) to manage Enterprise Domain Administrators when an enterprise domain is selected under an Oracle Context in the main application tree.

  To remove a user from the list of Enterprise Domain Administrators:

  1. Select a user from the list of Administrators.
  2. Choose Remove; the selected user is removed from the list.
  3. Choose Apply; the user is removed as an Enterprise Domain Administrator for that domain in the Oracle Context.

  To add a new user to the list of Enterprise Domain Administrators:

  1. Choose Add... ; the Add Users window appears. Use this window to locate and select target users for designation as Enterprise Domain Administrators. The new users appear in the Administrators tabbed window.
  2. Choose Apply; the new Administrators are added to the enterprise domain in the Oracle Context.

  Managing Enterprise Domain Database Schema Mappings

  As previously discussed, database schema mappings can be managed for each database in an Oracle Context. Schema mappings can also be defined for each enterprise domain in an Oracle Context, using the database schema mappings tabbed window with an enterprise domain selected in the main application tree. These mappings apply to all databases that are members of the enterprise domain. Therefore, each database in the enterprise domain must have a schema of the same name used in the mapping for that mapping to be effective on that database.

  Figure 19-18 Oracle Enterprise Security Manager: Database Schema Mappings Tab

  

  Text description of the illustration esm0027.gif

  To remove a mapping from the list of database schema mappings in the enterprise domain (Figure 19-18):

  1. Select a mapping from the Database Schema Mappings list.
  2. Choose Remove; the selected mapping is removed from the list.
  3. Choose Apply; the mapping is removed from the enterprise domain.

  To add a new mapping to the list of database schema mappings in the enterprise domain (Figure 19-18):

  1. Choose Add...; the Add Database Schema Mappings window appears. Use this window to locate and select a base in the directory for the new mapping, as discussed previously.
  2. Enter a new database schema mapping to the enterprise domain.
  3. Choose Apply; the new database schema mapping is added to the enterprise domain selected in the Oracle Context.

     See Also: Managing Database Schema Mappings Defining a Directory Base

  Administering Enterprise Roles

  An enterprise domain within an Oracle Context can contain multiple enterprise roles. An enterprise role is a set of Oracle role-based authorizations across one or more databases in an enterprise domain.

  To create a new enterprise role:

  You can create an enterprise role in an enterprise domain either from the Operations menu on the Oracle Enterprise Security Manager main window (Figure 19-18), or by right-clicking an enterprise domain in the main application tree. In either case, the Create Enterprise Role window appears (Figure 19-19):

  Figure 19-19 Oracle Enterprise Security Manager: Create Enterprise Role Window

  

  Text description of the illustration esm0030.gif

  1. Choose the target Oracle Context from the Oracle Context drop-down list; this is the Oracle Context containing the target enterprise domain--to hold the new enterprise role.

     Note: If you invoked the Create Enterprise Role window by right-clicking an enterprise domain, the name of the Oracle Context is already selected.

  2. Select the appropriate enterprise domain for the new enterprise role, from the Enterprise Domain list.

     Note: If you invoked the Create Enterprise Role window by right-clicking an enterprise domain, the name of the enterprise domain is already selected.

  3. Enter the name of the new enterprise role in the Role Name field.
  4. Choose OK; the new enterprise role is created in the enterprise domain, and appears on the main application tree.

  To remove an enterprise role:

  1. Select the target enterprise role from the main application tree (Figure 19-18).
  2. Choose Remove Enterprise Role, either from the Operations menu or by right-clicking the enterprise domain in the main application tree.
  3. Oracle Enterprise Security Manager asks you to confirm the removal of the enterprise role; choose Yes.

  Assigning Database Global Role Membership to an Enterprise Role

  Use the Database Global Roles tabbed window (Figure 19-20) of the Oracle Enterprise Security Manager main window to manage database global role membership in an enterprise role. This window lists the names of each global role that belongs to the enterprise role, along with the name of the database on which that global role exists.

  Figure 19-20 Oracle Enterprise Security Manager: Database Global Roles Tab

  

  Text description of the illustration esm0031.gif

  When populating an enterprise role with different database roles it is only possible to reference roles on databases that are configured to be global roles on those databases. A global role on a database is identical to a normal role, except that the Database Administrator has defined it to be authorized only through the directory. A Database Administrator cannot locally grant and revoke global roles to users of the database.

  To remove a database global role from an enterprise role:

  1. Select a global role from the list in the main application tree, and choose Remove...; the global role is removed from the list.
  2. Choose Apply; the global role is removed from the enterprise role in the enterprise domain.

  To add a global role to an enterprise role:

  1. Choose Add... (Figure 19-20); the Add Global Database Roles window appears. This window lists all of the databases in the enterprise domain--from which global roles can be selected to add to an enterprise role.
  2. Select a database from which to obtain global roles. A window appears and prompts you for logon details to authenticate to the database (and fetch global roles). Typically, this is a DBA logon to that database.

  Figure 19-21 Oracle Enterprise Security Manager: Database Authentication Required Window

  

  Text description of the illustration esm0034.gif

  Note: The name of the database appears in the Service field by default. You can use this name to connect to the database if your ORACLE_HOME has LDAP enabled as its Oracle Net naming method, or if this name appears as a TNS alias in your local Oracle Net configuration. Otherwise, you can overwrite the content of the Service field with any other TNS alias configured for that database, or by a connect string in the format: <host>:<port>:<oracle sid> Example: cartman:1521:broncos

• Choose OK; Oracle Enterprise Security Manager connects you to the given database and fetches the list of global roles supported on that database. The list of values, if any, is displayed in the Add Global Database Roles window.
• Select one or more global roles from the list of returned values and choose OK; these global roles appear in the Database Global Roles tabbed window (Figure 19-20).
• Choose Apply; the new global roles are added to the enterprise role in the enterprise domain.

  Managing Enterprise Role Grantees

  An enterprise role grantee is a directory user granted an enterprise role, including all database global roles contained within that enterprise role. You can use the Enterprise Users tabbed window (Figure 19-22) to manage enterprise role grantees, when an enterprise role is selected under an enterprise domain in the main application tree.

  To remove a user from the list of enterprise role grantees (Figure 19-22):

  1. Select a user from the list of grantees.
  2. Choose Remove; the selected user is removed from the list.
  3. Choose Apply; the user is removed as a grantee for that enterprise role in the enterprise domain.

  To add a new user to the list of enterprise role grantees:

  1. Choose Add...; the Add Users window appears (Figure 19-12). Use this window to locate and select one or more directory users to add as enterprise role grantees. The new users appear in the Enterprise Users Page (Figure 19-22):

  Figure 19-22 Oracle Enterprise Security Manager: Enterprise Users Tab

  

  Text description of the illustration esm0036.gif

• Choose Apply; the new grantees are added to the enterprise role in the enterprise domain.

  You can assign enterprise roles to this newly created enterprise user by selecting the user and choosing the Enterprise Role tab.

  See Also: Defining an Initial Enterprise Role Assignment